lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1092760691.2386.17.camel@anduril.intranet.cartel-securite.net>
Date: Tue, 17 Aug 2004 18:38:11 +0200
From: Cedric Blancher <blancher@...tel-securite.fr>
To: bugtraq@...urityfocus.com
Subject: Re: SQL Injection in CACTI


Le mar 17/08/2004 à 10:53, Thomas Chiverton a écrit :
> >                 php_flag magic_quotes_gpc Off
> Cacti 0.8.5a does not ship with this set Off*, so this must be a Debian 
> packaging error.

Cacti does not ship PHP. This option is related to PHP configuration,
not to Cacti, that should not rely on any PHP specific option unless
clearly mentionned (e.g. "Cacti must have magic_quotes_gpc set to On"),
would it be default or not.
I just checked available PHP distros, i.e. 4.3.8 and 5.0.1. They are
shipped with two php.ini files, php.ini-distand php.ini-recommanded. The
first one has magic_quotes_gpc set to On, but it is set to Off in the
second one...

> The install instructions at 
> http://www.raxnet.net/products/cacti/documentation.php?action=view&id=6
> make no mention off having to disable the magic quote feature.

True. And it is not mentionned to have it On either.

> I am running this version of Cacti with magic quotes On fine, this is the PHP 
> default, afaik.

Cacti should not rely on specific PHP configuration to escape characters
using magic quotes in order to prevent command/code/SQL/whatever
injection, or any security stuff, but its own code to validate user
input.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ